While FISMA-compliance grades are often high enough, critics say the law is more of a check-box exercise than one that promotes operational excellence. The Government Accountability Office has found that while most agencies comply with FISMA, the effectiveness of those efforts isn't clear. The GAO will release a report on that later this year.
Bruce Brody, VP of cybersecurity at the Analysis Group and a former chief information security officer of two federal agencies, is among the critics. While he applauds FISMA's ability to bring cybersecurity to the fore, he notes that 10% of FISMA grades are simply an indication that employees are getting annual cybersecurity training, and that the process for certifying and accrediting systems as secure often ignores legacy systems.
Sen. Tom Carper, D-Del., is working on a bill to revise FISMA by mandating continuous security monitoring and measurement of the effectiveness of agencies' cybersecurity processes, including identification of weaknesses. A similar version was approved by the Senate Committee on Homeland Security and Governmental Affairs during the last session of Congress. Currently, continuous monitoring is mandated by regulations layered on top of FISMA, but there's not much standardization in how the monitoring is carried out, and it's done by regulation rather than force of congressional legislation.
Under the draft bill, agencies would have to "detect, monitor, correlate, and analyze" the security of any network-connected system in an automated and continuous fashion. Any system that doesn't meet security standards would require remediation before being allowed to connect to the network.
Carper's bill may become part of broader legislation that would include proposed legislation from John D. Rockefeller IV, D-W.V., and Olympia Snowe, R-Maine, according to a spokeswoman in Carper's office. Those bills call for, among other things, more government-wide structures to be put in place overseeing cybersecurity, including the creation of a presidential adviser. "Until we have an office where 'the buck stops here,' we're still going to be operating in a spaghetti bowl model," the NSA's Maconachy says.
The Carper bill would give more weight to government-wide standards being developed by NIST, and those efforts could have a secondary effect of creating a more consistent security posture across government. For example, NIST's Security Content Automation Protocol, a standard way of reading security settings and configurations, was used by the Office of Management and Budget to create the Federal Desktop Core Configuration, a recommended configuration for government computers running Windows.
One gap that can't be solved through technology alone is the need for sharing of best practices and threat information. As part of a project called Einstein, US-CERT has begun monitoring traffic on federal networks and reporting attacks and anomalous activity to the agencies. However, without Top Secret-cleared personnel, US-CERT is sometimes unable to share detailed information about attacks coming from classified sources or using classified methods. CNCI will mandate agencies have 24/7 security operations centers with analysts who have security clearances.
The Carper bill explicitly lays out the role of government chief information security officers in enforcing compliance with FISMA. They also will be tasked with documenting security controls, reporting incidents, conducting periodic risk assessments, and, importantly, knocking down silos by directing cybersecurity in any subordinate agency. Today, an agency isn't required to have one CISO accountable for all of its cybersecurity efforts. Carper's bill also would set up a council of government CISOs to share best practices and develop standard performance measurements.
One way to audit the effectiveness of government cybersecurity measures is a "red team approach," where a group of white-hat hackers from NSA or elsewhere are enlisted to penetrate government systems or carry out fake phishing attacks.
According to SANS's Paller, one agency CISO recently did that, asking NSA to identify every place where hackers could break into his networks, and he's now monitoring progress as the holes get fixed. The agency is also implementing the Consensus Audit Guidelines, assigning threat levels to each of its 20 recommended controls.
It's an example of how, even as they keep an eye on new legislation and regulations, government cybersecurity pros can take action. They must, because threats won't wait.